Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow hooks for submitting brew fetch to third-parties #16619

Open
1 task done
SMillerDev opened this issue Feb 8, 2024 · 1 comment
Open
1 task done

Allow hooks for submitting brew fetch to third-parties #16619

SMillerDev opened this issue Feb 8, 2024 · 1 comment
Labels
features New features help wanted We want help addressing this

Comments

@SMillerDev
Copy link
Member

Verification

Provide a detailed description of the proposed feature

Allow a user to opt in to hooks on brew fetch usage. Something like HOMEBREW_FETCH_HOOKS=archive-org,virustotal

What is the motivation for the feature?

Issues like Homebrew/homebrew-core#162013 would benefit from access to the tarbal from the last time the formula went through CI. That would make it much easier to see what changed and rule it problematic or not.

How will the feature be relevant to at least 90% of Homebrew users?

It would allow people to:

  • extract the last working version of formula sources
  • have brew submit casks to virustotal
  • easily compare a changed checksum

What alternatives to the feature have been considered?

None
@SMillerDev SMillerDev added help wanted We want help addressing this features New features labels Feb 8, 2024
@MikeMcQuaid
Copy link
Member

Issues like Homebrew/homebrew-core#162013 would benefit from access to the tarbal from the last time the formula went through CI. That would make it much easier to see what changed and rule it problematic or not.
extract the last working version of formula sources

I don't think we should be using archive.org to cache every tarball we put through CI just in case this occurs again. Whether or not they explicitly forbid it, it seems like a gross misuse of resources.

  • have brew submit casks to virustotal

What would this solve? I've seen nothing but false positives from these tools interactions with Homebrew over the years. It also does nothing to catch e.g. someone who pushes a (new) bitcoin miner or personal information uploader.

  • easily compare a changed checksum

It seems we have this already with storing checksums in formulae?

To be clear: I think there may well be problems here worth addressing: I just don't think the proposed solutions are the right one or that it's best to jump to a solution without a wider understanding of the problem.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
features New features help wanted We want help addressing this
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@MikeMcQuaid @SMillerDev